Date: Tue, 31 May 2016 19:28:59 +0100 From: Will Squire <will_squire@hotmail.co.uk> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-questions@freebsd.org Subject: Re: Can ipfw be used to limit concurrent requests from an IP? Message-ID: <BLU436-SMTP56BAE61D59C2AEC514B937DA460@phx.gbl> In-Reply-To: <20160528232515.Y15883@sola.nimnet.asn.au> References: <mailman.97.1464436802.9180.freebsd-questions@freebsd.org> <20160528232515.Y15883@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 28 May 2016, at 15:27, Ian Smith <smithi@nimnet.asn.au> wrote: >=20 > In freebsd-questions Digest, Vol 625, Issue 7, Message: 3 > On Fri, 27 May 2016 20:34:56 +0100 Will Squire = <will_squire@hotmail.co.uk> wrote: >=20 > (please wrap lines < 80 columns if possible) Thanks, will do. >=20 >> Can ipfw limit the number requests in a given amount of time from a=20= >> specific IP? >>=20 >> To contextualise, if an IP sends requests in high concurrency (let's=20= >> say 50 a second) can ipfw either block requests the exceed a=20 >> threshold for that second (lets say the threshold is 20, 30 would be=20= >> blocked), or ban/deny the given IP for exceeding a threshold? >=20 > Not as such. If you know the specific IP address (or range, or = subnet)=20 > you can use stateful rules with 'limit' instead of 'keep-state' to = limit=20 > the maximum number of concurrent connections to the port/s configured = in=20 > a given rule; see ipfw(8). You cauld use a table of addresses to = block > or limit rather than hard-coding them into rule/s. Thanks for the reply Ian. I don=E2=80=99t think limit would work due to = HTTP=E2=80=99s =E2=80=9Ckeep-alive=E2=80=9D feature. I believe this means a connection = would be kept open=20 (counting as one connection) and still open to heavy polling by the = client. >=20 > While this is very useful for avoiding DoS of any particular service, = it=20 > does not allow you to specify a rate, nor time limit, nor (directly) = to=20 > block an IP address that's exceeding the given number of connections. >=20 >> The aim is to lessen strain under DoS attacks, specifically for HTTP.=20= >> The system is using Apache and mod_evasive has been added and tested,=20= >> but it is not functioning correctly. >=20 > I haven't used (nor heard of) mod_evasive so can't comment on that, = but=20 > limiting the total number of connections open to a given service can=20= > certainly mitigate the effect of such DoS attacks. Again, I think keep-alive might cause issues here (but please do correct = me if=20 wrong). Limiting connection to the HTTP service might also worsen the = DoS to=20 users. >=20 > You could of course use /etc/inetd.conf (aka TCPwrappers) to limit=20 > connections in just the ways you want, though I'm not sure starting = HTTP=20 > connections in that way is recommended these days. I use if for FTP = and=20 > POP3 connections, which works very well, thus: >=20 > sola# grep -v '#' /etc/inetd.conf > ftp stream tcp nowait/7/3 root /usr/libexec/ftpd ftpd -dll = -S > pop3 stream tcp nowait/7/4 root /usr/local/libexec/qpopper = qpopper -s -T 120 >=20 > See inetd(1), particularly re the inetd.conf setting: > = {wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per= -ip]]] >=20 > The above example limits pop3 connections to 7 children and 4=20 > connections per IP per minute. Excess connections are logged to=20 > /var/log/messages (and console.log if enabled) thus: >=20 > May 21 12:31:59 sola inetd[9671]: pop3 from 182.118.103.211 exceeded = counts/min (limit 4/min) > May 21 14:21:51 sola inetd[9671]: pop3 from 182.118.99.168 exceeded = counts/min (limit 4/min) > May 21 14:21:52 sola inetd[9671]: pop3 from 182.118.99.168 exceeded = counts/min (limit 4/min) > May 21 14:26:40 sola inetd[9671]: pop3 from 182.117.230.117 exceeded = counts/min (limit 4/min) > May 21 15:34:53 sola inetd[9671]: pop3 from 182.117.207.48 exceeded = counts/min (limit 4/min) > May 21 16:26:56 sola inetd[9671]: pop3 from 182.117.226.184 exceeded = counts/min (limit 4/min) >=20 > You could run a script to tail messages hunting for such lines, then = add=20 > the IP to a table if you want; for example I run a script that = instantly=20 > bans GET requests for certain strings to any of a number of = webservers.=20 > I also tend to check logs and hand-add naughty nets such as the above = to=20 > a block table, never to be seen again .. I=E2=80=99m not familiar with using TCPwrappers, Have seen another = recommend=20 SSHGuard though (which I am using already). Can I do something similar=20= with that, or does/should it do this (add to ban table) automatically? = Unsure=20 if SSHGuard needs any additional rules written for Apache. >=20 > I also use not dissimilar connection limits to sendmail's MTA, but=20 > that's done in sendmail's own configuration. >=20 > Others may know better ways to deal specifically with HTTP = connections? >=20 >> (P.S. The freebsd-ipfw list seems to be for development of the=20 >> technology only, so asking this here. Please let me know if this=20 >> isn?t the case) >=20 > It's usually fairly low volume and noone seems to mind usage = questions,=20 > though the developers usually tend to let these go by. >=20 > cheers, Ian Thanks Kind regards, Will Squire=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BLU436-SMTP56BAE61D59C2AEC514B937DA460>